application security: why does it take so long? · the evolving developer mindset security is...
TRANSCRIPT
![Page 1: Application Security: Why Does It Take So Long? · The evolving developer mindset Security is everyone’s job now, not just the security team’s. With continuous integration and](https://reader036.vdocuments.site/reader036/viewer/2022070907/5f7af442e44b15494e7571ea/html5/thumbnails/1.jpg)
© 2019 VERACODE INC. 1
Application Security: Why Does It Take
So Long?
![Page 2: Application Security: Why Does It Take So Long? · The evolving developer mindset Security is everyone’s job now, not just the security team’s. With continuous integration and](https://reader036.vdocuments.site/reader036/viewer/2022070907/5f7af442e44b15494e7571ea/html5/thumbnails/2.jpg)
© 2019 VERACODE INC. 2
Software security is surprisingly difficult
• Poorly written software results in vulnerabilities that put customers and their sensitive data at risk
• We understand software vulnerabilities pretty well, but things aren’t improving very quickly – why not?
• When we have a massive software security data set, we can extract some interesting learnings that may help us improve
![Page 3: Application Security: Why Does It Take So Long? · The evolving developer mindset Security is everyone’s job now, not just the security team’s. With continuous integration and](https://reader036.vdocuments.site/reader036/viewer/2022070907/5f7af442e44b15494e7571ea/html5/thumbnails/3.jpg)
© 2019 VERACODE INC. 3
My background
• Vice President of Research
• 20 years in application security: building, breaking, and defending software
• Leads all security research initiatives at Veracode
• Previously: US Dept of Defense, @stake, Symantec (via acquisition)
![Page 4: Application Security: Why Does It Take So Long? · The evolving developer mindset Security is everyone’s job now, not just the security team’s. With continuous integration and](https://reader036.vdocuments.site/reader036/viewer/2022070907/5f7af442e44b15494e7571ea/html5/thumbnails/4.jpg)
© 2019 VERACODE INC. 4
Who are you?
Security Operations OtherDeveloper
![Page 5: Application Security: Why Does It Take So Long? · The evolving developer mindset Security is everyone’s job now, not just the security team’s. With continuous integration and](https://reader036.vdocuments.site/reader036/viewer/2022070907/5f7af442e44b15494e7571ea/html5/thumbnails/5.jpg)
© 2019 VERACODE INC. 5 © 2019 VERACODE INC.
Context
![Page 6: Application Security: Why Does It Take So Long? · The evolving developer mindset Security is everyone’s job now, not just the security team’s. With continuous integration and](https://reader036.vdocuments.site/reader036/viewer/2022070907/5f7af442e44b15494e7571ea/html5/thumbnails/6.jpg)
© 2019 VERACODE INC. 6
Domino's has almost
turned itself into a
technology company
that maybe just happens
to sell pizza on the side.
We look at metrics like
orders per minute,
actual transactions out
to stores, and that can
tell us what customers
are ordering, in real time.
- Russ Turner, IT Manager
Apps Tied to Bottom Line
78% of enterprises believe that the
shift to becoming a software-driven business will be a critical driver of
competitive advantage. Over
40% say it is already affecting new product and
service development.1
Digital sport, as we call it
at Nike, is incredibly
important to us. We think
it's going to be a bigger
and bigger factor in
terms of the experience
that consumers have
with the products that
we create….We are
focusing more on the
software side of the
experience.
- Mark Parker, CEO
At its heart, Tesla is a
software developer
dressed in a carmaker's
robes… This software
focus affords Tesla a
flexible and dynamic
approach to updating
its fleet, something that
few, if any, other
carmakers have been
able to accomplish.
- Leah Niu, Motley Fool
Airbnb makes its money
in real estate. But
everything inside of how
Airbnb runs has much
more in common with
Facebook or Google or
Microsoft or Oracle than
with any real estate
company. What makes
Airbnb function is its
software engine…. It’s a
tech company.
- Marc Andreesen,
Investor
All companies are software companies
![Page 7: Application Security: Why Does It Take So Long? · The evolving developer mindset Security is everyone’s job now, not just the security team’s. With continuous integration and](https://reader036.vdocuments.site/reader036/viewer/2022070907/5f7af442e44b15494e7571ea/html5/thumbnails/7.jpg)
© 2019 VERACODE INC. 7
State of Software Security Volume 9
• Largest quantitative study of application security findings
• Based on data from over 700,000 application scans over a 12-month period representing 2 trillion lines of code
• Insights into industry performance, third-party component risks, vulnerability trends, and remediation rates
• Partnered with data scientists at CyentiaInstitute to analyze the data set
![Page 8: Application Security: Why Does It Take So Long? · The evolving developer mindset Security is everyone’s job now, not just the security team’s. With continuous integration and](https://reader036.vdocuments.site/reader036/viewer/2022070907/5f7af442e44b15494e7571ea/html5/thumbnails/8.jpg)
© 2019 VERACODE INC. 8 © 2019 VERACODE INC.
So what’s new?
![Page 9: Application Security: Why Does It Take So Long? · The evolving developer mindset Security is everyone’s job now, not just the security team’s. With continuous integration and](https://reader036.vdocuments.site/reader036/viewer/2022070907/5f7af442e44b15494e7571ea/html5/thumbnails/9.jpg)
© 2019 VERACODE INC. 9
The more things change…
The most common
vulnerabilities present
in applications
remained largely the
same:
• SQL injection is still
present in nearly
one in three
applications
• Cross-Site Scripting is
found in nearly 50%
of applications
![Page 10: Application Security: Why Does It Take So Long? · The evolving developer mindset Security is everyone’s job now, not just the security team’s. With continuous integration and](https://reader036.vdocuments.site/reader036/viewer/2022070907/5f7af442e44b15494e7571ea/html5/thumbnails/10.jpg)
© 2019 VERACODE INC. 10
Prevalence of common flaw categories
![Page 11: Application Security: Why Does It Take So Long? · The evolving developer mindset Security is everyone’s job now, not just the security team’s. With continuous integration and](https://reader036.vdocuments.site/reader036/viewer/2022070907/5f7af442e44b15494e7571ea/html5/thumbnails/11.jpg)
© 2019 VERACODE INC. 11 © 2019 VERACODE INC.
Focus on fixing
![Page 12: Application Security: Why Does It Take So Long? · The evolving developer mindset Security is everyone’s job now, not just the security team’s. With continuous integration and](https://reader036.vdocuments.site/reader036/viewer/2022070907/5f7af442e44b15494e7571ea/html5/thumbnails/12.jpg)
© 2019 VERACODE INC. 12
Flaw persistence
Flaw persistence analysis: the probability that a vulnerability will remain in an application over time
![Page 13: Application Security: Why Does It Take So Long? · The evolving developer mindset Security is everyone’s job now, not just the security team’s. With continuous integration and](https://reader036.vdocuments.site/reader036/viewer/2022070907/5f7af442e44b15494e7571ea/html5/thumbnails/13.jpg)
© 2019 VERACODE INC. 13
Overall flaw persistence interval
![Page 14: Application Security: Why Does It Take So Long? · The evolving developer mindset Security is everyone’s job now, not just the security team’s. With continuous integration and](https://reader036.vdocuments.site/reader036/viewer/2022070907/5f7af442e44b15494e7571ea/html5/thumbnails/14.jpg)
© 2019 VERACODE INC. 14
Flaw persistence by flaw category
![Page 15: Application Security: Why Does It Take So Long? · The evolving developer mindset Security is everyone’s job now, not just the security team’s. With continuous integration and](https://reader036.vdocuments.site/reader036/viewer/2022070907/5f7af442e44b15494e7571ea/html5/thumbnails/15.jpg)
© 2019 VERACODE INC. 15
Flaw persistence by language
![Page 16: Application Security: Why Does It Take So Long? · The evolving developer mindset Security is everyone’s job now, not just the security team’s. With continuous integration and](https://reader036.vdocuments.site/reader036/viewer/2022070907/5f7af442e44b15494e7571ea/html5/thumbnails/16.jpg)
© 2019 VERACODE INC. 16
Flaw persistence by flaw severity
You’d think higher severity flaws would be fixed faster(but you’d be wrong)
![Page 17: Application Security: Why Does It Take So Long? · The evolving developer mindset Security is everyone’s job now, not just the security team’s. With continuous integration and](https://reader036.vdocuments.site/reader036/viewer/2022070907/5f7af442e44b15494e7571ea/html5/thumbnails/17.jpg)
© 2019 VERACODE INC. 17
Flaw persistence by app criticality
You’d think flaws in business-critical apps would be fixed much faster(but you’d be wrong)
![Page 18: Application Security: Why Does It Take So Long? · The evolving developer mindset Security is everyone’s job now, not just the security team’s. With continuous integration and](https://reader036.vdocuments.site/reader036/viewer/2022070907/5f7af442e44b15494e7571ea/html5/thumbnails/18.jpg)
© 2019 VERACODE INC. 18 © 2019 VERACODE INC.
The DevOps effect
![Page 19: Application Security: Why Does It Take So Long? · The evolving developer mindset Security is everyone’s job now, not just the security team’s. With continuous integration and](https://reader036.vdocuments.site/reader036/viewer/2022070907/5f7af442e44b15494e7571ea/html5/thumbnails/19.jpg)
© 2019 VERACODE INC. 19
What is DevOps?
DevOps is a cultural and professional movement, focused on how we build and operate high velocity organizations, born from the experiences of its practitioners.
– Nathan HarveyDeveloper Advocate @ Google(formerly VP Community Development @ Chef)
![Page 20: Application Security: Why Does It Take So Long? · The evolving developer mindset Security is everyone’s job now, not just the security team’s. With continuous integration and](https://reader036.vdocuments.site/reader036/viewer/2022070907/5f7af442e44b15494e7571ea/html5/thumbnails/20.jpg)
© 2019 VERACODE INC. 20
The evolving developer mindset
Security is everyone’s job now, not just the security team’s. With continuous integration and continuous deployment, all developers have to be security engineers... We move too fast for there to be time for reviews by the security team beforehand.
That needs automation, and it needs to be integrated into your process. Each and every piece should get security integrated into it... before and after being deployed.
– Werner Vogels, Amazon CTOat AWS re:Invent 2017
![Page 21: Application Security: Why Does It Take So Long? · The evolving developer mindset Security is everyone’s job now, not just the security team’s. With continuous integration and](https://reader036.vdocuments.site/reader036/viewer/2022070907/5f7af442e44b15494e7571ea/html5/thumbnails/21.jpg)
© 2019 VERACODE INC. 21
DevOps is changing the way developers work
67%Stated they actively work at an organization that practices DevOps; 50% are practicing continuous deliverySource: Jenkins
46xHigh performing organizations deploy code 46x faster their peers
Source: Puppet Labs
34% 34% of developers say they build multiple times per day or during check-in
Source: Forrester >1hr
High performing organizations have less than one hour of lead time to make changes
Source: Puppet Labs
440x High performing organizations commit changes 440x faster their peers
Source: Puppet Labs
![Page 22: Application Security: Why Does It Take So Long? · The evolving developer mindset Security is everyone’s job now, not just the security team’s. With continuous integration and](https://reader036.vdocuments.site/reader036/viewer/2022070907/5f7af442e44b15494e7571ea/html5/thumbnails/22.jpg)
© 2019 VERACODE INC. 22
Scan frequency as a proxy for DevOps
![Page 23: Application Security: Why Does It Take So Long? · The evolving developer mindset Security is everyone’s job now, not just the security team’s. With continuous integration and](https://reader036.vdocuments.site/reader036/viewer/2022070907/5f7af442e44b15494e7571ea/html5/thumbnails/23.jpg)
© 2019 VERACODE INC. 23
Annual scan rates
![Page 24: Application Security: Why Does It Take So Long? · The evolving developer mindset Security is everyone’s job now, not just the security team’s. With continuous integration and](https://reader036.vdocuments.site/reader036/viewer/2022070907/5f7af442e44b15494e7571ea/html5/thumbnails/24.jpg)
© 2019 VERACODE INC. 24
Days between scans based on annual rate
![Page 25: Application Security: Why Does It Take So Long? · The evolving developer mindset Security is everyone’s job now, not just the security team’s. With continuous integration and](https://reader036.vdocuments.site/reader036/viewer/2022070907/5f7af442e44b15494e7571ea/html5/thumbnails/25.jpg)
© 2019 VERACODE INC. 25
DevSecOps increases fix velocity (?)
FIG. 43: Fix Velocity Based on Scan Frequency Organizations that adopt DevOps practices outperform their peers in how quickly they fix flaws; the most active DevSecOps programs fix flaws more than 11.5x faster than the typical organization.
Flaws persist 3.5x longer in applications only scanned 1 to 3 times per year compared to ones tested 7 to 12 times per year.
![Page 26: Application Security: Why Does It Take So Long? · The evolving developer mindset Security is everyone’s job now, not just the security team’s. With continuous integration and](https://reader036.vdocuments.site/reader036/viewer/2022070907/5f7af442e44b15494e7571ea/html5/thumbnails/26.jpg)
© 2019 VERACODE INC. 26
Same chart, with numbers
![Page 27: Application Security: Why Does It Take So Long? · The evolving developer mindset Security is everyone’s job now, not just the security team’s. With continuous integration and](https://reader036.vdocuments.site/reader036/viewer/2022070907/5f7af442e44b15494e7571ea/html5/thumbnails/27.jpg)
© 2019 VERACODE INC. 27 © 2019 VERACODE INC.
Financial industry spotlight
![Page 28: Application Security: Why Does It Take So Long? · The evolving developer mindset Security is everyone’s job now, not just the security team’s. With continuous integration and](https://reader036.vdocuments.site/reader036/viewer/2022070907/5f7af442e44b15494e7571ea/html5/thumbnails/28.jpg)
© 2019 VERACODE INC. 28
Financial industry overview
![Page 29: Application Security: Why Does It Take So Long? · The evolving developer mindset Security is everyone’s job now, not just the security team’s. With continuous integration and](https://reader036.vdocuments.site/reader036/viewer/2022070907/5f7af442e44b15494e7571ea/html5/thumbnails/29.jpg)
© 2019 VERACODE INC. 29
OWASP pass rates by industry
![Page 30: Application Security: Why Does It Take So Long? · The evolving developer mindset Security is everyone’s job now, not just the security team’s. With continuous integration and](https://reader036.vdocuments.site/reader036/viewer/2022070907/5f7af442e44b15494e7571ea/html5/thumbnails/30.jpg)
© 2019 VERACODE INC. 30
Vulnerability categories by industry
![Page 31: Application Security: Why Does It Take So Long? · The evolving developer mindset Security is everyone’s job now, not just the security team’s. With continuous integration and](https://reader036.vdocuments.site/reader036/viewer/2022070907/5f7af442e44b15494e7571ea/html5/thumbnails/31.jpg)
© 2019 VERACODE INC. 31
Flaw persistence by industry
![Page 32: Application Security: Why Does It Take So Long? · The evolving developer mindset Security is everyone’s job now, not just the security team’s. With continuous integration and](https://reader036.vdocuments.site/reader036/viewer/2022070907/5f7af442e44b15494e7571ea/html5/thumbnails/32.jpg)
© 2019 VERACODE INC. 32
Flaw persistence by industry
![Page 33: Application Security: Why Does It Take So Long? · The evolving developer mindset Security is everyone’s job now, not just the security team’s. With continuous integration and](https://reader036.vdocuments.site/reader036/viewer/2022070907/5f7af442e44b15494e7571ea/html5/thumbnails/33.jpg)
© 2019 VERACODE INC. 33
Takeaways
• Organizations are getting better at fixing flaws, but there is still a long way to go
• Prevalence of the most common flaw categories is mostly the same year over year
• Several factors you’d logically expect to influence flaw remediation speed actually do not
• DevSecOps practices (specifically, scan frequency) correlate strongly with better fix rates
![Page 34: Application Security: Why Does It Take So Long? · The evolving developer mindset Security is everyone’s job now, not just the security team’s. With continuous integration and](https://reader036.vdocuments.site/reader036/viewer/2022070907/5f7af442e44b15494e7571ea/html5/thumbnails/34.jpg)
© 2019 VERACODE INC. 34
Suggested action plan
• Next you should:– Read the State of Software Security Report (http://veracode.com/soss)
– Start talking to your peers in development/security about integrating application security in your development processes
• In the next three months you should:– Start training your developers on application security
– Set achievable policies around vulnerability fix timeframes and measure developer compliance
– Begin to inventory your applications to understand the risks associated with the use of third-party (e.g. open source) components
• Within six months you should:– Work with your development teams to implement application security into your
development toolchain(s) – figure out how to increase scan frequency!
![Page 35: Application Security: Why Does It Take So Long? · The evolving developer mindset Security is everyone’s job now, not just the security team’s. With continuous integration and](https://reader036.vdocuments.site/reader036/viewer/2022070907/5f7af442e44b15494e7571ea/html5/thumbnails/35.jpg)
© 2019 VERACODE INC. 35